Earlier this week, we published an article headlined “If you connect it, protect it.”
The TL;DR version of that article is, of course, exactly the same as the headline: if you connect it, protect it.
Every time you hook up a poorly-protected device to your network, you run the risk that crooks will find it, probe it, attack it, exploit it and – if things end badly – use it as a toehold to dig into your digital life.
Criminals who figure out how to commandeer a vulnerable device inside your network can use that device to map out, scan and attack your laptop – the one you’re using right now to work from home – as if they were right there beside you.
If you’ve ever played around with IoT devices, for example, you’ll probably know that many of them are based on the Linux kernel and the open source system software that typically forms the core of any Linux distribution.
Indeed, even the tiniest and most stripped-down devices often include not only special-purpose software tailored to that device, but also a host of standard Unix command line utilities that are the same as, or very similar to, the tools you will find in any penetration tester’s toolbox.
For example, a device such as a webcam or smart speaker usually doesn’t just contain audio and video processing code.
You’ll probably also find:
- One or more command shells. Shells such as
bash,lash,ashordashmake it easy to run command scripts to automate system management tasks. - LAN and wireless configuration programs. Tools such as
ifconfig,ip,iwlistandiwconfigmake it straightforward to map out and configure network settings. - Downloader tools. Programs such as
curlandwgetcan be used not only for downloading files over the internet, but also for uploading stolen data to outside websites, typically just with a single command. - Other scripting software. You will often find programming tools such as
awk,mawkorgawk, a minimalist scripting language that can be used to write internet clients and servers, as well as sifting and searching files, all in just a few lines of code. - Scheduling tools. Program such as
cronor an equivalent make it easy to schedule programs to run at regular times even when no one is logged in, for example to watch out for computers being connected to the network and sending back a notification message. - Remote access and encryption tools. Many IoT devices include both SSH client and server software such as
ssh,sshdordropbear. These give crooks a way to create secret, encrypted network “tunnels” into and out of your network using software that’s already there. - Network and account passwords. Your Wi-Fi password may very well be stored in a plaintext file on the device, such as
/etc/wpa_supplicant.conf. Password or authentication tokens for any accounts that the device is hooked up to may also be lying around for the taking.
Generally speaking, the closer the crooks get to your computer on the internet, the more aggressively they can attack it – and the next best thing to being on your computer already is to be right next door on the same network with their favourite hacking tools preinstalled.
What to do?
By now, it might sound as though you need an enormous range of skills just to figure out where to start, let alone where to finish, in securing your own network to be robust enough for WFH. (ICYMI, that’s short for working from home.)
The good news is that you don’t need the combined practical experience of an IT manager, a tech support guru, a penetration tester and a network engineer.
We’ve come up with eight questions you can ask yourself about devices on your home network, and about the setup of your network, that will help you run a tighter WFH ship.
Think of it as going through your very own Cybersecurity Awareness Month at home:
- Step 1. Do I actually need this device online? If not, consider removing it from your network. Or if you don’t need it listening in or activated all the time, consider powering it down when you aren’t using it. (Unplugging it from the wall socket is often all you need to do.)
- Step 2. Do I know how to update it? If not, find out how. If the vendor can’t reassure you about security updates, consider switching products to a vendor that does (and see step 1).
- Step 3. Do I know how to configure it? Make sure you know what security settings are available, what they are for, and how to set them up (and see step 2).
- Step 4. Have I changed any risky default settings? Many IoT devices come with remote troubleshooting features turned on, which crooks may be able to abuse. They also often arrive with default passwords set, which the crooks will definitely know. Some routers ship with Universal Plug and Play enabled, which can expose the inside of your network by mistake. Check and change defaults before you make the device live (and see steps 2 and 3).
- Step 5. How much am I sharing? If the device is hooked up to an online service, familiarise yourself with how much data the device is sharing, and how often. You may be happy to share some data, but never feel squeezed into turning all the options “to the max” (and see steps 3 and 4).
- Step 6. Can I “divide and conquer” my network? Some home routers let you split your Wi-Fi into two networks that can be managed separately. This is useful if you are working from home because it means you can put your home IoT devices on a “guest” network and your work computers such as laptops on another (and see steps 1, 2, 3, 4 and 5).
- Step 7. Can I turn on “client isolation”? Some home routers have an option known as client isolation that shields devices on the network from each other. This reduces the risk of a security hole in one device being used to attack other computers “from inside” (and see steps 1, 2, 3, 4, 5, and 6).
- Step 8. Do I know whom to turn to if there’s a problem? If your work has an IT department or offers access to tech support, make sure you know where to report anything suspicious. Ask them what information they are likely to need and provide it at the outset, in order to speed up the process.
By the way, if you’re an IT department looking after remote workers, make it easy for your less-technical colleagues to reach out for cybersecurity advice, or to report suspicious activity, and take the attitude that there’s no such thing as a stupid question, only a stupid answer.
In our experience, most employees are ready and willing to do the right thing when it comes to cybersecurity – after all, if they get hacked while WFH then their own digital life is at risk along with the company’s.
Set up an internal email or telephone reporting line where users can easily and efficiently report possible attacks and get the whole company to be the eyes and ears of the security team!
SOPHOS FIREWALL HOME EDITION – 100% FREE
If you’re a techie, or have willing techie friends to help you set it up, you can run the Sophos XG Firewall Home Edition 100% free as your own secure home network gateway. You will need to provide your own virtual machine or a dedicated computer (a recent but retired laptop might do the trick for you) but you get all the product features for free, including email filtering, web filtering, a home VPN, and more. It’s an industrial-strength cybersecurity product for free at home.
Dave Wain
The WFH staff I have to support would be stuck at step 2. They don’t know what IoT is and no matter how many educational emails they delete without reading, cannot comprehend the importance of passwords in a MS365 environment.
I have a 12 character password policy – “The strength is in the length” – yet Password2020 fits that policy and is still used extensively (until I find out).
This useful information is way over the heads of all of my 150 users.
J R Hartley
You could implement some form of compulsory education and testing. In non-virtual life the National Archives do this (at least did last time I was down there). If you want access to their reading room you have to sit at a terminal and go through an education program about appropriate handling of archive material and then sit a multiple guess test before your reader’s card is validated to allow you into the reading room.
IT departments might implement something similar – just make sure that you have got senior staff through it so that when staff complain about “not being able to work because they can’t do the **** IT test”, managers can give the appropriate reply rather than ring you ordering you to short circuit the train and test regime for employee X.
R Wegner
I’m sad for you, but not good for you to show this vulnerability to the “public”.
Paul Ducklin
I’m afraid I don’t have a good answer for you. I wrote the article for people who would like to help themselves by learning a bit more and then applying it, or for those who would like to try to help their friends along by pointing them in the right direction.
I guess the reason we still need Cybersecurity Awareness Month after 17 years is that same reason why Her Majesty’s Government has never given up on road safety – not merely passing laws but encouraging people to read their Highway Code. It’s important for every driver to stop (figuratively, if not literally) once in a while and think about why we have some of the regulations we do, e.g. rules about when and how to pull out into traffic; who gives way to whom on roundabouts; why cyclists are entitled to special consideration; what speed limits apply if there are no signs; why you can’t do U-turns on motorways; and why you can expect no sympathy if you fail a breath alcohol test as a driver.
I think that everyone, or most people at least, know what passwords are for and why they are important. They are just happy to ignore them because they can get away with it – in other words, they comprehend just fine, they simply don’t act because it feels as though it mostly doesn’t matter.
But I’m not prepared to give up trying.
In all walks of life there are things you might have wagered at one time would never become socially acceptable or generally agreed upon as the wrong (or right) thing to do. Examples might be: smoking, drink driving and seatbelts. When “experts” first starting saying we should have a lot less of the first two and much more of the last (in the UK, I’d suggest the primary decades for those campaigns were the 1990s, 1970s and 1980s), it was just the experts saying it for a long while. But smoking (in the UK at least) is now down to under 15% of adults; drink driving, though there are many who still do it, is not socially acceptable at all; and no one seems to fuss about wearing a seatbelt any more. It’s just so obviously a wise precaution that you might as well do it.
Indeed, some of my tips don’t need technical skills – such as “do you really need this on your network at all?”. It’s when you encourage people to start at the very beginning that they think, “Maybe this cybersecurity thing does matter after all.” Because – let’s be serious for a moment – dealing with 12-character passwords, as annoying and unnecessary as it might feel, *isn’t actually that difficult* unless you are happy to pretend it’s super-complicated and to use that as an excuse for not bothering. Which is not the same as “not comprehending” – not the same at all.
Thomas Gibson
Dave, why didn’t you just ask your team to telnet into their smart speakerse and disable any unused services. Then configure the VLAN on their home router? /s
Actually your post nails just about every client interaction I’ve had in my career: delete the email, then write the password down on a sticky. Who needs passwords anyways if 365 is down for the day?